Is this secure?

On 2010-02-25 02:07, Steven D'Aprano wrote:
> On Wed, 24 Feb 2010 18:23:17 +0100, mk wrote:
>>> Anyway, the passwords for authorized users will be copied and pasted
>> from email into in the application GUI which will remember it for them,
>> so they will not have to remember and type them in.
>> So to break your application's security model, all somebody has to do is
> use their PC and they have full access to their account?
>> Or get hold of the copy and paste buffer?
>> Or the application's config files?
Yes. There's no way around this, short of forcing them to use hardware
key, which is an overkill for this application.
>> So I have little in
>> the way of limitations of password length - even though in *some* cases
>> somebody might have to (or be ignorant enough) to retype the password
>> instead of pasting it in.
> Or your users might be sensible enough to not trust a role-your-own
> security model, and prefer to memorize the password than to trust that
> nobody will get access to their PC.
The app is not that critical, it's about quarterly subscription to the
service, and the users will be able to reset the password anyway. If it
were that critical, I'd use the hardware keys; if hardware keys are not
used, once somebody gains an (unconstrained) access to the user's PC,
there's not much that app developer can do. I've read somewhere a
warning from PuTTY developer that even though the key is (normally)
protected by the passphrase, losing even an encrypted key is quite
likely to lead to its compromise. There's even some software for that on
the net:
http://www.neophob.com/serendipity/index.php?/archives/127-PuTTY-Private-Key-cracker.html
>> The main application will access the data using HTTP (probably), so the
>> main point is that an attacker is not able to guess passwords using
>> brute force.
> And why would they bother doing that when they can sniff the wire and get
> the passwords in plain text? You should assume your attackers are
> *smarter* than you, not trust them to be foolish.
I should have written HTTPS.
Regards,
mk